Friday, May 12, 2017

Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Executive Summary

A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry appears to primarily utilize the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability. If successful it will then implant the DOUBLEPULSAR backdoor and utilize it to install the malware. If the DOUBLEPULSAR backdoor is already installed the malware will still leverage this to install the ransomware payload. This is the cause of the worm-like activity that has been widely observed across the internet

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.

Campaign Details

Infrastructure Analysis

Cisco Umbrella researchers first observed requests for one of WannaCry's killswitch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak of just over 1,400 nearly 10 hours later.

The domain composition looks almost human typed, with most characters falling into the top and home rows of a keyboard.

Communication to this domain might be categorized as a kill switch domain due to its role in the overall execution of the malware:

The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.

The raw registration information re-enforces this as it was registered on 12 May 2017:

Malware Analysis

An initial file "mssecsvc.exe" drops and executes "tasksche.exe", this exe tests the kill switch domains. One complete, the service mssecsvc2.0 is created, this is a method of persistance for the malware. This service executes "mssecsvc.exe" with a different entry point than the initial execution. This second execution executes 2 threads. The first thread checks the IP address of the infected machine and attempts to connect to TCP445 (SMB) of each host/IP address in the same subnet and second thread generates random IP address on the Internet to perform the same action. When the malware successfully connects to a machine, a connection is initiated and data is transferred. The malware exploits the SMB vulnerability addressed by Microsoft in the bulletin MS17-010 (ETERNALBLUE) in order to implant the DOUBLEPULSAR backdoor. The backdoor is used to execute WANNACRY on the new compromised system.

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory 'Tor/' into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.

The tor.exe file is executed by @wanadecryptor@.exe. This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.

Typical of other ransomware variants, the malware also deletes any shadow copies on the victim's machine in order to make recovery more difficult. It achieve this by using WMIC.exe, vssadmin.exe and cmd.exe.

WannaCry uses various methods to attempt to aid its execution by leveraging both attrib.exe to modify the +h flag (hide) and also icacls.exe to allow full access rights for all users, "icacls . /grant Everyone:F /T /C /Q"

The malware has been designed as a modular service. It appears to us that the executable files associated with the ransomware have been written by a different individual than whomever developed the service module. Potentially, this means that the structure of this malware can be used to deliver and run different malicious payloads.

After encryption is complete, the malware displays the following ransomware note. One interesting aspect of this ransomware variant is that the ransom screen is actually an executable and not an image, HTA file, or text file.

Organisations should be aware that there is no obligation for criminals to supply decryption keys following the payment of a ransom. Talos strongly urges anyone who has been compromised to avoid paying the ransom if possible as paying the ransom directly funds development of these malicious campaigns.

Mitigation and Prevention

Organizations looking to mitigate the risk of becoming compromised should follow the following recommendations:

Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.

In accordance with known best practices, any organization who has SMB publically accessible via the internet (ports 139, 445) should immediately block inbound traffic.

Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR networks.

In addition to the mitigations listed above, Talos strongly encourages organizations take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones.

Have effective patch management that deploys security updates to endpoints and other critical parts of your infrastructure in a timely manner.

Run anti-malware software on your system and ensure you regularly receive malware signature updates.

Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.

Coverage

Snort Rule: 42329-42332, 42340, 41978

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

The CCC Tor authority is indeed a CCC node, however, it is part of the indicators associated with our samples. The Tor nodes are all Tor nodes used throughout our analysis. It's also fair to say these could be specific to us as, I am sure you know, the Tor nodes are not something a user can configure.

In short - we publish all related IOCs. More information is good information.

A likely point of confusion was the Jaff ransomeware, another new type of ransomware (so 2 new types in 2 days) that did spread via email, used the same executable name. It’s possible this lead some folks to the wrong conclusion. Many sites are including pictures of emails that are clearly Jaff. It’s also possible we’ve not seen everything yet but only time will tell. As we state in the blog it’s an ongoing investigation.

The registering of the domain to kill the spread of the virus was the work of someone at a Malware company - see https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Great analysis but you may want to withdraw the kill switch domain name. If not, lots of people reading your page may be tempted to query it, polluting all the maps that are keeping track of the infection ... just my 0.5

Hi Alice,Did you not bring Bob to back up your story? :)Seriously though - the malware used Tor nodes to proxy their traffic. It's entirely fair to say these may never be used in conjunction with this malware again, sure. In light of the network indicators we discover we like to publish everything. The sanity of the blog is for us to decide ;)

One thing that i don't understand is, why didn't the creators of the malware owned the "kill switch" domain in the first place? They could still "hit the switch" through specific httpresponse code. Obviously this requires some infrastructure on they own to handle the malwares requests.

Excellent article. I’ve been reading plenty and infer that user rights are of no consequence with this scenario. A user with least user rights on the network, no local or domain admin rights, could click an infected attachment or link or invoke any attack vector and this nastiness can start scanning the internal network via port 445 for all vulnerable computers and potentially infect all of them without the need for elevated privileges along the way. I’m hoping that it could still only encrypt files on a file server that the initiating user had access to. Is this correct? If it can bypass user privilege access restrictions and encrypt every share on the network then that’s the really scary part for all networks that have best practices layered security with layered user rights.